# Provider Credentials

# AWS

Atlantis simply shells out to terraform so you don't need to do anything special with AWS credentials. As long as terraform commands works where you're hosting Atlantis, then Atlantis will work. See https://www.terraform.io/docs/providers/aws/#authentication for more detail.

# Multiple AWS Accounts

Atlantis supports multiple AWS accounts through the use of Terraform's AWS Authentication.

If you're using the Shared Credentials file you'll need to ensure the server that Atlantis is executing on has the corresponding credentials file.

If you're using Assume role you'll need to ensure that the credentials file has a default profile that is able to assume all required roles.

Environment variables authentication won't work for multiple accounts since Atlantis wouldn't know which environment variables to execute Terraform with.

# Assume Role Session Names

If you're using Terraform < 0.12, Atlantis injects 5 Terraform variables that can be used to dynamically name the assume role session name. Setting the session_name allows you to trace API calls made through Atlantis back to a specific user and repo via CloudWatch:

provider "aws" {
  assume_role {
    role_arn     = "arn:aws:iam::ACCOUNT_ID:role/ROLE_NAME"
    session_name = "${var.atlantis_user}-${var.atlantis_repo_owner}-${var.atlantis_repo_name}-${var.atlantis_pull_num}"
  }
}

Atlantis runs terraform with the following variables:

If you want to use assume_role with Atlantis and you're also using the S3 Backend, make sure to add the role_arn option:

terraform {
  backend "s3" {
    bucket   = "mybucket"
    key      = "path/to/my/key"
    region   = "us-east-1"
    role_arn = "arn:aws:iam::ACCOUNT_ID:role/ROLE_NAME"
    # can't use var.atlantis_user as the session name because
    # interpolations are not allowed in backend configuration
    # session_name = "${var.atlantis_user}" WON'T WORK
  }
}